The purpose of this Cyber Security Policy is to set out Capital Sky’s commitment to cyber security and confirm the functional responsibilities of management, devolved divisions, and all colleagues towards achieving these objectives.

The objective of cyber security is to minimise the risk of harm to, or destruction of, computer networks, applications, devices, and data. Failure to adequately secure these assets may result in major operational disruption, inability to deliver services, loss of intellectual property, customer or business data, and potentially lead to reputational damage, regulatory fines, and significant financial impact.

Responsibilities

This policy applies to all employees, suppliers, contractors, or any other persons granted access to Capital Sky’s technology and information assets.

We are all responsible for using systems and technology in accordance with this policy and the Code of Ethics and Conduct. Failure to do so could result in disciplinary action, termination of contract, or in extreme cases, criminal prosecution.

Policy Principles

Organisational Security

Capital Sky manages the risk of security exposure or compromise by ensuring that:

  • There is a risk-based approach to cyber security in support of Capital Sky’s overall strategic objectives. Cyber risk is owned by individual business units, and any risk that could impact the group will be escalated to management.
  • Business areas are responsible for operating security controls effectively for business-operated systems and technology.
  • The Group Cyber Security function is responsible for group-level cyber risk management and reporting these risks into the Enterprise Risk Management function.
  • The Group Cyber Security function will provide advisory support to functional/devolved divisional areas responsible for implementing and operating security controls.

Functional Responsibilities

Management are responsible for:

  • Committing to actively supporting Cyber Security within Capital Sky through clear direction, acknowledgement of responsibilities, and providing the right level of resources to support the reduction of Cyber Security risks.
  • Acting as a point of escalation and participating in the response to Cyber Security incidents.
  • Supporting the requirements of this policy, including communicating the consequences of non-compliance to the workforce and third parties, and addressing adherence in third-party agreements.

Directors and Managers throughout the business are responsible for:

  • Owning and managing cyber security risks within their business area.
  • Promoting the importance of Cyber Security and resilience within their teams.
  • Supporting cyber incident preparedness activities and prioritising remediation where significant gaps need to be addressed.
  • Ensuring their teams attend appropriate job-specific and mandatory security training.
  • Fostering the participation of Cyber Security and technical staff in protecting information assets, and in identifying, selecting, and implementing appropriate and cost-effective security controls and procedures.
  • Developing and maintaining appropriate business continuity and disaster recovery plans.

All Capital Sky colleagues are responsible for:

  • Completing mandatory cyber awareness training and becoming familiar with the basic levels of security needed to protect data.
  • Reading and understanding the Cyber Security policies and conducting their activities accordingly.
  • Reporting suspected cyber security incidents or weaknesses to the Cyber Security team.

The Cyber Security team is responsible for:

  • Developing the security programme in support of the group strategy.
  • Maintaining strong relationships with business functions to evaluate and understand cyber security risks and working with them to appropriately manage those risks.
  • Establishing and maintaining enterprise cyber security policies and standards.
  • Maintaining an adequate level of current knowledge and proficiency in cyber security through ongoing education and contact with security groups, associations, and relevant authorities.
  • Continually improving and developing appropriate Cyber Security capabilities.
  • Advising on security issues related to suppliers of products and services.
  • Promoting cyber security awareness and culture.
  • Maintaining strong relationships across the industry and with appropriate government agencies.